SSC & Sonar Plugin - Access Denied Error "View jobs in queue"

Dear all I try to use the Sonar Plugin 2.3 (https://github.com/rsenden/fortify-integration-sonarqube-ssc) together with a SSC 17.20. I followed the instructions on github for the installation and preparation of Sonar and SSC. During my sonar execution via maven I get after the successfull upload of the FPR file the following error

{"message":"Access Denied. This permission is required to complete this action: [view].","responseCode":500,"errorCode":-10301}

This is quite strange because the the Sonar Token has in the serviceContect.xml the required permission.i.e.

<value>GET=/api/v\d /jobs(/[^/] )*/?</value>

The FPR has been successfully uploaded and processed, no error or approval step was pending.

If I look in the ssc-access.log I see the error denied

127.0.0.1 - - [11/Nov/2018:22:03:45  0100] "GET /ssc/api/v1/jobs?fields=state&q=id:"JOB_ARTIFACTUPLOAD$feed51b4-fa1b-45be-9cd7-6841cc001ce2"&start=0&limit=50 HTTP/1.1" 500 139

Even more strange - I construct manually the request in my webbrowser, it worked and the page get returned well.

"&start=0&limit=50">authToken:{SonarToken}@localhost:8080/.../jobs

 Any hints what I could try? Any experience on with simliar cases like in Jenkins where you are able as well to upload and verify the process status?

Thank you in advance

SonarToken in serviceContext.xml

	<bean id="sonarQubeToken" class="com.fortify.manager.security.ws.AuthenticationTokenSpec">
		<property name="key" value="SonarQubeToken"/>
		<property name="maxDaysToLive" value="90" />
		<property name="actionPermitted">
			<list value-type="java.lang.String">
				<value>GET=/api/v\d /artifacts/\d </value>
				<value>GET=/api/v\d /jobs</value>
				<value>GET=/api/v\d /projectVersions</value>
				<value>GET=/api/v\d /projectVersions/\d /artifacts</value>
				<value>GET=/api/v\d /projectVersions/\d /filterSets</value>
				<value>GET=/api/v\d /projectVersions/\d /issues</value>
				<value>GET=/api/v\d /projectVersions/\d /performanceIndicatorHistories</value>
				<value>GET=/api/v\d /projectVersions/\d /variableHistories</value>
				<value>PUT=/api/v\d /projectVersions/\d /issueSearchOptions</value>
				<value>POST=/api/v\d /fileTokens</value>
				<value>POST=/upload/resultFileUpload.html</value>
			</list>
		</property>
		<property name="terminalActions">
			<list value-type="java.lang.String">
				<value>InvalidateTokenRequest</value>
				<value>DELETE=/api/v\d /auth/token</value>
			</list>
		</property>
	</bean>

Full Stack Trace from maven

[INFO] Uploading FPR file /home/megloff/Documents/SwissConomy/Fortify/Projects/workspace.java/WebGoat/WebGoat5.0.fpr
[ERROR] Exception occured during Fortify sensor execution
java.lang.RuntimeException: Error accessing remote system http://localhost:8080/ssc: Internal Server Error
	at com.fortify.util.rest.connection.AbstractRestConnection.getUnsuccesfulResponseException(AbstractRestConnection.java:407)
	at com.fortify.util.rest.connection.AbstractRestConnection.checkResponseAndGetOutput(AbstractRestConnection.java:371)
	at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:227)
	at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:195)
	at com.fortify.util.rest.connection.AbstractRestConnection.executeRequest(AbstractRestConnection.java:182)
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.executeRequest(AbstractRestConnectionQuery.java:139)
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.processSingleRequest(AbstractRestConnectionQuery.java:213)
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.processAll(AbstractRestConnectionQuery.java:203)
	at com.fortify.util.rest.query.AbstractRestConnectionQuery.getUnique(AbstractRestConnectionQuery.java:115)
	at com.fortify.client.ssc.api.SSCJobAPI.getJobById(SSCJobAPI.java:56)
	at com.fortify.client.ssc.api.SSCJobAPI.waitForJobCompletion(SSCJobAPI.java:62)
	at com.fortify.client.ssc.api.SSCArtifactAPI.getJobForUpload(SSCArtifactAPI.java:124)
	at com.fortify.client.ssc.api.SSCArtifactAPI.uploadArtifactAndWaitProcessingCompletion(SSCArtifactAPI.java:134)
	at com.fortify.integration.sonarqube.ssc.FortifySSCConnectionFactory.uploadFPRAndWaitForProcessingToComplete(FortifySSCConnectionFactory.java:143)
	at com.fortify.integration.sonarqube.ssc.FortifySSCConnectionFactory.getConnectionWithArtifactProcessing(FortifySSCConnectionFactory.java:129)
	at com.fortify.integration.sonarqube.ssc.batch.FortifyIssueMetricsAndSensor.processFortifyIssues(FortifyIssueMetricsAndSensor.java:293)
	at com.fortify.integration.sonarqube.ssc.batch.FortifyIssueMetricsAndSensor.executeBeforeMetricsCalculation(FortifyIssueMetricsAndSensor.java:175)
	at com.fortify.integration.sonarqube.ssc.batch.AbstractFortifyMetricsAndSensor.execute(AbstractFortifyMetricsAndSensor.java:89)
	at org.sonar.scanner.sensor.SensorWrapper.analyse(SensorWrapper.java:53)
	at org.sonar.scanner.phases.SensorsExecutor.executeSensor(SensorsExecutor.java:88)
	at org.sonar.scanner.phases.SensorsExecutor.execute(SensorsExecutor.java:82)
	at org.sonar.scanner.phases.SensorsExecutor.execute(SensorsExecutor.java:68)
	at org.sonar.scanner.phases.AbstractPhaseExecutor.execute(AbstractPhaseExecutor.java:88)
	at org.sonar.scanner.scan.ModuleScanContainer.doAfterStart(ModuleScanContainer.java:177)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:121)
	at org.sonar.scanner.scan.ProjectScanContainer.scan(ProjectScanContainer.java:291)
	at org.sonar.scanner.scan.ProjectScanContainer.scanRecursively(ProjectScanContainer.java:286)
	at org.sonar.scanner.scan.ProjectScanContainer.doAfterStart(ProjectScanContainer.java:264)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:121)
	at org.sonar.scanner.task.ScanTask.execute(ScanTask.java:48)
	at org.sonar.scanner.task.TaskContainer.doAfterStart(TaskContainer.java:84)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135)
	at org.sonar.core.platform.ComponentContainer.execute(ComponentContainer.java:121)
	at org.sonar.scanner.bootstrap.GlobalContainer.executeTask(GlobalContainer.java:121)
	at org.sonar.batch.bootstrapper.Batch.doExecuteTask(Batch.java:116)
	at org.sonar.batch.bootstrapper.Batch.execute(Batch.java:71)
	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.execute(BatchIsolatedLauncher.java:46)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
	at com.sun.proxy.$Proxy23.execute(Unknown Source)
	at org.sonarsource.scanner.api.EmbeddedScanner.doExecute(EmbeddedScanner.java:171)
	at org.sonarsource.scanner.api.EmbeddedScanner.execute(EmbeddedScanner.java:128)
	at org.sonarsource.scanner.maven.bootstrap.ScannerBootstrapper.execute(ScannerBootstrapper.java:65)
	at org.sonarsource.scanner.maven.SonarQubeMojo.execute(SonarQubeMojo.java:104)
	at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
	at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863)
	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
	at org.apache.maven.cli.MavenCli.main(MavenCli.java:199)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
	at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: java.lang.Exception: Error accessing remote system http://localhost:8080/ssc: Internal Server Error, response contents: 
{"message":"Access Denied. This permission is required to complete this action: [view].","responseCode":500,"errorCode":-10301}
	... 71 common frames omitted

 

  • Verified Answer

    I found the reason for the issue and could solve the problem. My user had the standard role "Developer" assigned, but this one has not the necessary rights to perform this "view jobs" action. So either you need create an own role with all the required permissions or assign the user to the role "Administrator" (at least for testing the Sonar integration)

    Question has anyone created a role for "Jenkins" with all its usual permissions and exported the settings as file from SSC?. If you could upload here would be great.